0

Logstash 解析的我的日志事件在 Loggly 中结束了四次。这可能是什么原因造成的?

一个例子是,这一行:

2014-11-05 01:52:55,485 PM PST [localhost-startStop-1] INFO  o.s.web.context.ContextLoader - Root WebApplicationContext: initialization started

在 Loggly 中看起来像这样: Loggly 屏幕抓取

我的 Logstash 配置文件如下所示:

input {
  file {
    type => "advcore-error"
    path => [ "/var/company/tomcat/logs/error/advcore-error.log"]
    sincedb_path => "$HOME/.sincedb"
  }
}

filter {
  if [type] == "advcore-error" {
    grok {
      pattern => "%{DATE_US} %{TIME},%{DATA:offset} %{DATA:meridian} %{DATA:timezone} \[%{DATA:thread}\] %{LOGLEVEL:loglevel} %{GREEDYDATA:message}"
      add_tag => "advcore-error"
    }
  }
}

output {
  loggly {
    codec => "plain"
    host => "logs-01.loggly.com"
    key => "<my-secret-key>"
    proto => "http"
    workers => 1
  }
}
4

1 回答 1

0

I figured out the issue.

I had three other Logstash config files (four total), each of them with the same Loggly output blocks.

I didn't understand that an output block in a different config file would still pipe data from all config files.

It appears that the config files in a given Logstash templates directory (and possibly elsewhere?) effectively act as one big file.

于 2014-11-06T00:20:41.707 回答